[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1073206: marked as done (bullseye-pu: package python-aiosmtpd/1.2.2-1+deb11u1)

Your message dated Sat, 29 Jun 2024 10:47:48 +0000
with message-id <E1sNVcS-002btK-8L@coccia.debian.org>
and subject line Released with 11.10
has caused the Debian Bug report #1073206,
regarding bullseye-pu: package python-aiosmtpd/1.2.2-1+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1073206: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1073206
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bullseye
X-Debbugs-Cc: python-aiosmtpd@packages.debian.org, dale@dalerichards.net
Control: affects -1 + src:python-aiosmtpd
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
This update resolves two security vulnerabilities present in
the version of python-aiosmtpd in Bullseye (1.2.2-1):

  * CVE-2024-27305 - SMTP smuggling due to poor handling of
    non-standard line endings (Bug: #1066820)
  * CVE-2024-34083 - STARTTLS unencrypted command injection
    (Bug: #1072119)

These have both been deemed unworthy of a DSA, but the
Security Team have suggested we update this package for the
next Bullseye point release.

[ Impact ]
Without this update, Debian 11 systems running aiosmtpd would
remain vulnerable to the two CVEs listed above.

[ Tests ]
The upstream package includes a comprehensive suite of tests,
all of which are passing with this new version. Additionally,
I have installed the new package on a Bullseye test box and
performed manual testing, confirming that the package's main
functionality works and that the two vulnerabilties are
correctly resolved.

[ Risks ]
The code changes are minor, and bring aiosmtpd into compliance
with the relevant sections of RFC 3207[1] and RFC 5321[2].
The update can therefore be considered low risk, and will not
cause an issue with any RFC-compliant SMTP client or MTA.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
  * CVE-2024-27305 - Patch aiosmtpd/smtp.py to accept only <CRLF>
    as a line terminator, as mandated by RFC 5321[2]. This patch
    has been adapted from the fix committed upstream[3].
  * CVE-2024-34083 - Patch aiosmtpd/smtp.py to discard any
    remaining unencrypted data in the input buffer upon completion
    of a STARTTLS handshake, as mandated by RFC 3207[1]. This patch
    has been adapted from the fix committed upstream[4].

[ Other info ]

References:

[1] https://datatracker.ietf.org/doc/html/rfc3207#page-7
[2] https://datatracker.ietf.org/doc/html/rfc5321#section-2.3.8
[3] https://github.com/aio-
libs/aiosmtpd/commit/24b6c79c8921cf1800e27ca144f4f37023982bbb
[4] https://github.com/aio-
libs/aiosmtpd/commit/b3a4a2c6ecfd228856a20d637dc383541fcdbfda

diff -Nru python-aiosmtpd-1.2.2/debian/changelog python-aiosmtpd-1.2.2/debian/changelog
--- python-aiosmtpd-1.2.2/debian/changelog	2020-12-19 15:05:26.000000000 +0000
+++ python-aiosmtpd-1.2.2/debian/changelog	2024-06-14 14:09:42.000000000 +0100
@@ -1,3 +1,13 @@
+python-aiosmtpd (1.2.2-1+deb11u1) bullseye; urgency=medium
+
+  * Team upload.
+  * CVE-2024-27305 - SMTP smuggling due to poor handling of
+    non-standard line endings (Closes: #1066820)
+  * CVE-2024-34083 - STARTTLS unencrypted command injection
+    (Closes: #1072119)
+
+ -- Dale Richards <dale@dalerichards.net>  Fri, 14 Jun 2024 14:09:42 +0100
+
 python-aiosmtpd (1.2.2-1) unstable; urgency=medium
 
   [ Ondřej Nový ]
diff -Nru python-aiosmtpd-1.2.2/debian/patches/0005-cve-2024-34083.patch python-aiosmtpd-1.2.2/debian/patches/0005-cve-2024-34083.patch
--- python-aiosmtpd-1.2.2/debian/patches/0005-cve-2024-34083.patch	1970-01-01 01:00:00.000000000 +0100
+++ python-aiosmtpd-1.2.2/debian/patches/0005-cve-2024-34083.patch	2024-06-14 14:09:42.000000000 +0100
@@ -0,0 +1,19 @@
+Description: CVE-2024-34083 - STARTTLS unencrypted command injection
+Author: Dale Richards <dale@dalerichards.net>
+Origin: upstream, https://github.com/aio-libs/aiosmtpd/commit/b3a4a2c6ecfd228856a20d637dc383541fcdbfda
+Bug: https://github.com/aio-libs/aiosmtpd/security/advisories/GHSA-wgjv-9j3q-jhg8
+Last-Update: 2024-06-07
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/aiosmtpd/smtp.py
++++ b/aiosmtpd/smtp.py
+@@ -209,6 +209,9 @@
+             self._reader._transport = transport
+             self._writer._transport = transport
+             self.transport = transport
++            # Discard any leftover unencrypted data
++            # See https://tools.ietf.org/html/rfc3207#page-7
++            self._reader._buffer.clear()  # type: ignore[attr-defined]
+             # Do SSL certificate checking as rfc3207 part 4.1 says.  Why is
+             # _extra a protected attribute?
+             self.session.ssl = self._tls_protocol._extra
diff -Nru python-aiosmtpd-1.2.2/debian/patches/0006-cve-2024-27305.patch python-aiosmtpd-1.2.2/debian/patches/0006-cve-2024-27305.patch
--- python-aiosmtpd-1.2.2/debian/patches/0006-cve-2024-27305.patch	1970-01-01 01:00:00.000000000 +0100
+++ python-aiosmtpd-1.2.2/debian/patches/0006-cve-2024-27305.patch	2024-06-14 14:09:42.000000000 +0100
@@ -0,0 +1,30 @@
+Description: CVE-2024-27305 - SMTP smuggling
+ SMTP smuggling due to poor handling of
+ non-standard line endings
+Author: Dale Richards <dale@dalerichards.net>
+Origin: upstream, https://github.com/aio-libs/aiosmtpd/commit/24b6c79c8921cf1800e27ca144f4f37023982bbb
+Bug: https://github.com/aio-libs/aiosmtpd/security/advisories/GHSA-pr2m-px7j-xg65
+Last-Update: 2024-06-07
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/aiosmtpd/smtp.py
++++ b/aiosmtpd/smtp.py
+@@ -31,7 +31,7 @@
+ 
+ DATA_SIZE_DEFAULT = 33554432
+ EMPTYBYTES = b''
+-NEWLINE = '\n'
++NEWLINE = '\r\n'
+ 
+ 
+ class _Missing:
+@@ -876,7 +876,8 @@
+         size_exceeded = False
+         while self.transport is not None:           # pragma: nobranch
+             try:
+-                line = await self._reader.readline()
++                # https://datatracker.ietf.org/doc/html/rfc5321#section-2.3.8
++                line: bytes = await self._reader.readuntil(b'\r\n')
+                 log.debug('DATA readline: %s', line)
+             except asyncio.CancelledError:
+                 # The connection got reset during the DATA command.
diff -Nru python-aiosmtpd-1.2.2/debian/patches/series python-aiosmtpd-1.2.2/debian/patches/series
--- python-aiosmtpd-1.2.2/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ python-aiosmtpd-1.2.2/debian/patches/series	2024-06-14 14:09:42.000000000 +0100
@@ -0,0 +1,2 @@
+0006-cve-2024-27305.patch
+0005-cve-2024-34083.patch

--- End Message ---
--- Begin Message --- 
Version: 11.10

The upload requested in this bug has been released as part of 11.10.

--- End Message ---
Reply to: